Checks whether super administrator permissions are granted to a RAM user, RAM user
group, or RAM role. A policy in which both the Resource and Action parameters are set to * grants super administrator permissions.
Scenario
You must adhere to the principle of least privilege. You are not allowed to grant the super administrator permissions to RAM users, RAM groups, or RAM roles that are not in the whitelist.
Risk level
Default risk level: high.
You can change the risk level as required when you apply this rule.
Compliance evaluation logic
- If no RAM user, RAM user group, or RAM role is assigned a policy in which both the
ResourceandActionparameters are set to*, the evaluation result is compliant. - If a RAM user, RAM user group, or RAM role is assigned a policy in which both the
ResourceandActionparameters are set to*, the evaluation result is non-compliant. For more information about how to correct the non-compliant configuration, see Non-compliance remediation.
Rule details
| Item | Description |
|---|---|
| Rule name | ram-policy-no-statements-with-admin-access-check |
| Rule ID | ram-policy-no-statements-with-admin-access-check |
| Tag | RAM, Group, Role, and User |
| Automatic remediation | Not supported |
| Trigger type | Periodic execution |
| Time interval | 24 hours |
| Supported resource type | RAM user, RAM user group, and RAM role |
| Input parameter | None |
Non-compliance remediation
Modify the custom policies for RAM users, RAM user groups, and RAM roles. For more information, see Modify the document and description of a custom policy.